There are many negotiation mechanisms available when a client wants to authenticate to a remote server. One negotiation mechanism that is typically known is a Simple and Protected Negotiation Mechanism (SPNEGO).
SPNEGO has many existing problems. One problem is that SPNEGO negotiates a common mechanism during a first round of negotiation. If this negotiated mechanism does not work and the client determines it does not have the necessary credentials based on a server policy, the client can not attempt a different security package. Thus, SPNEGO does not allow renegotiation after a first failed roundtrip. Another problem is that SPNEGO does not provide support for auxiliary data to be provided in the negotiation. Such auxiliary data can be useful or even required when the configuration information, such as the trust anchors on both the client and the server are needed to determine if a particular security mechanism can authenticate the client and the server.
Although SPNEGO provides a common negotiation mechanism, there is room for improvement. It is desirable to find ways to improve upon these problems and other deficiencies.